Broken authentication, improperly secured configuration files, and poor certificate management: Attackers could have exploited these issues to compromise any RHEL (Red Hat Enterprise Linux) instance on Microsoft Azure.
, an Irish software engineer with the e-commerce company Zalando, discovered these flaws when creating a machine image of RHEL that was compliant with the defined by the Department of Defense. Microsoft has since fixed these problems, but they offer an object lesson in the hazards of poorly implemented .
The client configuration files in Azure’s Red Hat Package Manager contain build host information that could be used to discover all of Azure’s Red Hat Update Appliances, Duffy said. The Red Hat Update Appliance is part of the Red Hat Update Infrastructure, which lets cloud platforms like Microsoft Azure and Amazon Web Services run local yum repositories, instead of having individual RHEL instances connect to Red Hat servers every time they need to update a package or install a new application.
Both Azure and AWS manage a Red Hat Update Appliance for each region, and each RHEL instance connects to the region’s appliance when running yum to install or update packages. Duffy found it was possible to discover all of Azure’s Red Hat Update Appliances and gain administrator access in order to upload compromised packages to the servers. Attackers could gain control over all Azure RHEL instances that executed yum against the compromised appliance and received the tampered files.
(WaLinuxAgent) would have had a “much more widespread” impact, Duffy said.
The Red Hat Enterprise Linux image available on the Microsoft Azure Marketplace had a vulnerable version of WaLinuxAgent that exposed the administrator API keys for the storage account used by the virtual machine. With the API key, the attacker could download virtual hard disks for any RHEL instances using that storage account. Since multiple virtual machines shared a single storage account, an attacker could download multiple virtual hard disks at a time.
Azure administrators should check to make sure they aren’t using RHEL image with the vulnerable agent, WaLinuxAgent 2.0.16.
Shared responsibility on the cloud
Microsoft has clearly spelled out the expectations for securing its cloud platforms in the and whitepapers. Microsoft will take care of all the security for its buildings, servers, networking hardware, and the hypervisor for organizations using Azure for IaaS. The operating system, network configuration, applications, identity management, client security, and data remain under IT control.
In this case, because the issue lay with the fact that the appliances and applications were publicly accessible, the fix was Microsoft’s responsibility. However, that doesn’t absolve IT administrators from regularly monitoring the instances for unusual activity or checking what packages are being installed on their machines. Just because the provider is responsible for that portion of cloud security doesn’t mean IT administrators can ease their vigilance.